Floor Speech

Mr. Speaker, I rise in opposition to the rule. At the outset, let me say that the cyber threat is real and its damage already devastating. And I very much appreciate the work that the chair and ranking member of the Intelligence Committee have done on this bill, and I appreciate that we have made and are continuing to make improvements.

But as the bill currently stands and as it will stand even after the amendments allowed by the rule are adopted, the bill simply does not do enough to protect the private information of Americans. Most importantly, I'm disappointed that the proposed rule does not allow an amendment that I offered with Ms. Schakowsky, Ms. Eshoo, Mr. Holt, and Mr. Thompson of Mississippi. My amendment would fix an issue specifically cited by the White House in its Statement of Administration Policy in explaining why the President's advisers would recommend a veto of CISPA without important change. It would require the companies that share cyber threat information either with the government or with another private company to make reasonable efforts to remove personally identifiable information.

As the administration stated in its veto threat, the administration remains concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities. Citizens have a right to know that corporations will be held accountable--and not granted immunity--for failing to safeguard personal information adequately.

The requirement of government-alone efforts to safeguard or minimize personal information is simply not enough. This is most apparent when, under the immunized conduct in the bill, private entities can share information with each other without ever going through the government. In those circumstances, how can the government minimize what it never possesses? So government-side minimization alone, which is all this bill includes, is not enough.

We have responded to the concerns of industry by making sure that when we ask them to take reasonable efforts to remove personal information, they can do so in real-time through automated processes. The witnesses who testified before the Intelligence Committee said that often the private parties are in the best position to anonymize the data. This is something they're doing anyway. And it's more than reasonable to require them to do that, particularly if we want to give them a broad grant of immunity.

Mr. Speaker, without an amendment to ensure that companies remove private information when they can do so--when they can do so through reasonable efforts--I cannot support the underlying bill. I believe that Members of both parties who support this change deserve the chance to vote on it. I suspect that because that issue would have gathered broad support, it is not being brought up for a vote here on the floor, and that is very disappointing. Accordingly, I urge a ``no'' vote on the rule, and I thank the gentleman for yielding.

BREAK IN TRANSCRIPT

Mr. SCHIFF. I thank the gentleman for yielding the additional time.

And just to respond to my colleague, I'd be interested to know if there is anything you can point to in those 17 amendments that governs or requires the private sector, when it shares information with other private sector entities, to remove personally identifiable information. Because under the bill, the only minimization that's required is being done by the government; and in the case of private-to-private sector sharing, there is no government role. So this is the big hole.

While there are many private sector companies that may support the bill because it gives them broad immunity without any responsibility, that doesn't mean it's good policy, particularly when private companies have said they would make reasonable efforts. They're willing to do it; they can do it; they have the capacity to do it; we're just not asking them to do it or requiring them to do it. And we're giving something of great value to them, and that is we're giving them broad immunity. I think with that immunity ought to come some responsibility; and it shouldn't be too much to ask that that responsibility take the form of a reasonable effort, not a herculean one, not an impossible one, but a reasonable effort to ensure that Americans' privacy interests are observed and they take out that information when they can.